[jira] [Created] (HTTPCLIENT-2138) Debug Log level logs sensitive information

Cyrus Vafadari (Jira) Wed, 17 Feb 2021 11:18:06 -0800

Cyrus Vafadari created HTTPCLIENT-2138:
------------------------------------------


             Summary: Debug Log level logs sensitive information
                 Key: HTTPCLIENT-2138
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2138
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
            Reporter: Cyrus Vafadari


When I enable debug level logging, I see

```

[2021-01-20 18:02:35,862] DEBUG http-outgoing-0 >> Authorization: Basic 
<CREDENTIALS_APPEAR_HEAR_IN_BASE64> (org.apache.http.headers:139) [2021-01-20 
18:02:35,884] DEBUG http-outgoing-0 >> "Authorization: Basic 
<CREDENTIALS_APPEAR_HEAR_IN_BASE64>[\r][\n]" (org.apache.http.wire:54) 
[2021-01-20 18:02:35,899] DEBUG http-outgoing-0 << " <title>Unauthorized 
(401)</title>[\n]" (org.apache.http.wire:54)

```


If agreed, I can open a PR to mask secrets in the debug log. If that makes the 
log less useful, I can at least make this configurable, since in my case it is 
a security violation to have any secrets whatsover in the logs



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (HTTPCLIENT-2138) Debug Log level logs sensitive information

Reply via email to